I'm a certified network systems engineer and recently wanted to test the Aion open beta game client until I discovered the game installed a monitoring rootkit called gameguard that does not appear to be detected by Spybot SD. I've recommended Spybot SD to clients in numerous consultations over the past years and wanted to inquire about why nProtect GameGuard has been allowed to fall under the radar. At least on my x64 windows 7 RTM install nProtect GameGuard was not detected at all :confused:

Generally speaking about malware and or spyware nProtect GameGuard certainly fits the profile for a software that:

1) installs unauthorized services for the primary purpose of monitoring your computer habits
2) cannot be easily removed by uninstalling the game ( Aion open beta client for this example ) that likely installed nProtect GameGuard
3) does not allow any modifications for removal utilizing add or remove programs control panel menu due to add/ remove programs entries not being created

Thanks to tashi for moving my post to the correct location :bigthumb:

I also wanted to quote an entry from wikipedia that both validates and addresses more of the concerns with nProtect being classified as malware. As well any attempts to remove the gameguard folders or system files will force gameguard to reinstall the files the user has manually deleted both without prompting the user in any way whatsoever or without any user intervention. Completely unattended reinstallation from a rootkit "image" file. It's certainly very invasive and difficult to remove. Noted i'm very experienced however my time invested to manualy remove all the gameguard files and registry entries consumed many hours of detailed labor with regedit. I'm certain that wikipedia's remarks are being extremely generous with gameguard's reputation despite how invasive the application is and how much of a nuisance gameguard is to remove.

http://en.wikipedia.org/wiki/NProtect_GameGuard

GameGuard hides the game application process, monitors the entire memory range, terminates applications defined by the game vendor and INCA Internet to be cheats (QIP for example), blocks certain calls to DirectX functions and Windows APIs, and auto-updates itself to change as new threats surface. nProtect GameGuard is launched via GameMon.des with a driver dump_wmimmc.sys.


Problems
There are issues with GameGuard regarding problems with other programs. Many of the problems have been solved or are in the process of being resolved.[1] Currently, however, there still is an old unpatched privilege escalation bug present[2][3].

Because of its method of actuation (very similar to a rootkit[4]), it is criticized for being extremely invasive, often without knowledge of the end user. The software installs a device driver which is difficult to uninstall; even uninstalling the game will still leave some files hidden on the system[5], but it stays inactive without the game. Most anti-virus vendors currently exclude nProtect GameGuard from their detection databases due to it being commercial software, however this was initially not the case, leading to system crashes as both the Antivirus and GameGuard attempted to override each other. When installing a game that utilizes GameGuard, this program may be installed onto the client machine without the user's authorization or permission.

nProtect GameGuard constantly updates itself and provides new protection against the latest threats.

On some games such as MapleStory, the game itself does a hash check of the GameGuard revision currently running and will exit if it does not match the hash on the server side.[citation needed] This is a security measure from nProtect GameGuard to ensure that GameGuard has not been hacked and nProtect GameGuard should update to the latest version under normal circumstances. But it can be easily compromised with packet software, such as Russian PacketHack which is designed for packet interception and hacking on net-driver level.


Because of the way that GameGuard hooks into core system DLLs and interrupts[6], it is impossible (without hacking GameGuard and violating the TOS) to run games protected by GameGuard under Windows API Emulators, such as Wine under Unix-based operating systems[7]. The key issue being that GameGuard bypasses the OS safeguards in order to:

* Hide the game application process.
* Monitor the entire memory range.
* Terminate specific applications without the user consent (sometimes tries to disable Kernel hooks).
* Block specific calls to DirectX or the Windows API.


The comment that gameguard stays inactive without any games being active is very untrue. The system service gameguard installs was started and functioning without the aion game client or ncsoft's launcher running at all.